Tech Insight
Stay updated on new and upcoming EU Tech regulations
Timeline
Filters
Data and Privacy
Stay updated on the regulations shaping the future of data management and privacy in the EEA.
Data Act
Regulation 2023/2854 on harmonised rules on fair access to and use of data
Status
- EU: Published in the Official Journal on 22 December 2023. Date of application is 12 September 2025
- EEA: Considering relevance
- Norway: Pending.
Implementation expected to be done through amendments to the Norwegian Contracts Act and Copyright Act.
Scope
The Data Act targets connected products within the Internet-of-things ecosystem, namely products capable of gathering, generating or collecting data communicated via various means. The key subjects of the acts are “data holders”, including natural or legal persons with the right or obligation to use and make available data (typically manufacturers of connected products and providers of related services).
Relevance
The Data Act seeks fostering a competitive and fair data market, stimulating data-driven innovation, and ensuring data accessibility. The Act will most likely lead to increased data transfers across national borders. Norwegian businesses should therefore ensure that they have the right to use the data they hold, for example, through explicit agreements. Furthermore, businesses should secure that their data can be effectively shared, by making it available in real-time, is continuously in a machine-readable format, and that sharing is done free of charge. Businesses should also implement procedures on how to initiate access to and deliver data to third parties.
Read more about the Data Act in this Article (Norwegian only).
Key Obligations
The Data Act empowers users of IoT-products to access data from data holders under fair, reasonable and non-discriminatory terms (i.e. through a right to access data generated by the products, and a right to portability allowing users to migrate to third party services. The Act further limits an encompassed entity’s possibility to discriminate against data recipients, and introduces a “policing of reasonableness” with respect to standard terms used towards micro-, small-, and medium enterprises. Finally, data holders are under an obligation to share data with governmental bodies upon further defined conditions.
Short Term Accommodation Rental Data
Regulation (EU) 2024/1028 on data collection and sharing relating to short-term accommodation rental services
Status
- EU: Date of application is 20 May 2026
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending
Scope
This Regulation focuses on online platforms that connect hosts and guests for short-term accommodation rentals (such as Airbnb). It seeks to create a harmonized and streamlined framework for the registration of hosts and their properties, aiming to reduce inconsistencies in how data is shared across the EU.
Relevance
The Regulation is intended to address the challenges and impacts of short-term accommodation rentals on local communities, such as excessive tourism flows and the scarcity of affordable housing.
Key Obligations
Providers of online platforms will be required to enable hosts to display registration numbers and share specific data about hosts’ activities and listings with public authorities. This includes information on rented nights and guests, facilitating compliance with registration requirements and supporting policy and enforcement efforts.
Public authorities will be required to maintain appropriately designed registration schemes for hosts, which are obligatory if public authorities wish to collect data for policymaking and enforcement purposes.
Data Governance Act
Regulation 2022/868 on European data governance
Status
- EU: Date of application was 24 September 2023
- EEA: Considering relevance
- Norway: Government Proposal announced 26 June 2024. Two new laws are proposed. A new Data Sharing Act will implement the Open Data Directive, while a new Norwegian Data Governance Act will implement the eponymous EU directive.
Scope
The DGA primarily applies to public sector bodies, but also providers of data intermediation services, which are platforms or entities that facilitate the sharing of data between data holders and data users. The DGA aims to increase the availability of data for use and re-use, particularly focusing on data held by public sector bodies. It addresses the need for trustworthy data intermediation services and promotes data altruism by encouraging individuals and businesses to make their data available for the common good, such as for research, healthcare, and education.
Relevance
The DGA aims to address technological and trust barriers that have previously limited data sharing in the EEA, thereby enhancing the EEA’s competitiveness and data sovereignty on a global scale. Implementation in Norway changes will not only enhance Norway’s data governance landscape but also facilitate cross-border data flows with EU countries, thereby supporting Norway’s participation in the European digital single market.
Key Obligations
The DGA introduces a legal framework to ensure sharing and accessibility of data, including by prohibiting exclusivity agreements related to data in the public sector, imposing an obligation to share data based on non-discriminatory, transparent and proportionate terms.
Data intermediation services must operate under strict conditions to ensure trustworthiness, transparency, and non-discrimination, and providers will be under an obligation to notify the competent authority of their intention to provide such services.
The act encourages data altruism, where individuals and organizations voluntarily share data for purposes deemed to be for the common good, under regulated and protected conditions.
The DGA further provides a framework for the re-use of public sector data, allowing for the sharing of data that cannot be made openly available due to existing protections, under certain conditions to ensure data privacy and security are maintained. Public sector bodies ability to charge fees for allowing re-use will also be limited.
ePrivacy Regulation
Proposal for a Regulation concerning the respect for privacy in electronic communications (COM(2017) 10)
Status
- EU: Trilogue initiated on 28 March 2022. Currently stalled
- EEA: Pending
- Norway: Pending
Scope
The proposed Regulation applies to the processing of data in connection with the provision and use of electronic communication services. In additional to traditional telecom companies, the proposal will apply to Over-The-Top (OTT) service providers offering messaging, voice calls, and email services over the internet (e.g. WhatsApp, Skype, and Gmail).
Companies using electronic communication data (e-com data) for advertising and marketing purposes (including by employing cookies and similar tracking technologies) are also subject to the Regulation.
Relevance
The ePrivacy Regulation, once finalized and adopted, will necessitate adjustments in the Norwegian Electronic Communications Act and Marketing Act. how Norwegian companies manage electronic communications and direct marketing. Upon implementation, Companies will need to re-assess how they provide electronic communication services and direct marketing and prepare for the operational, strategic, and financial implications of compliance. Regulatory fines are proposed set to the higher of EUR 10,000,000 or 2 % of the worldwide annual turnover for undertakings. However, political agreement and adoption of the proposal has been delayed several times from the original proposal in 2017, and the incumbent Spanish Council Presidency does not regard the e-Privacy Regulation as a priority file. Accordingly, it may still take time before we see any progress towards an adopted Regulation.
Key Obligations
The proposal imposes strict confidentiality requirements for e-com data, including a general prohibition on listening, tapping, intercepting, or processing communications without user consent. The proposal further details specific lawful grounds for the processing of e-com data, related metadata and content (voice, video, sounds exchanged through an electronic communications service).
Specific obligations with respect to the use and collection of information from terminal equipment (such as smartphones, laptops, and connected smart home devices), which includes the use of cookies and similar technology. As a general rule, an informed, specific, and freely given consent is required unless such terminal equipment use is non-privacy intrusive, or necessary to provide a service or transmit communication. The proposal opens up for providing consent “by using the appropriate technical settings of a software application enabling access to the internet” (such as a web browser).
Software that enables electronic communications, including internet browsing, must include options to block third-party information storage or processing on the user’s device. When installing such software, users must be informed about privacy settings and must consent to a specific setting before proceeding.
Finally, the proposal imposes restrictions on unsolicited marketing communications, i.e. by requiring explicit consent as a starting point.
Financial Data Access (FIDA) Framework
Proposal for a regulation on a framework for financial data access (COM/2023/360)
Status
- EU: Commission proposal published on 28 June 2023
- EEA: Pending – the Commission has marked the FIDA proposal as EEA-relevant
- Norway: Pending
Scope
The FIDA proposal intends to increase access and reuse of customer data from financial services, e.g. data on insurances, investments, loans, and pensions. The purpose is to improve the conditions for new and innovative data driven services, as well as ensuring a more transparent financial sector for customers. Moreover, the proposal seeks to facilitate for more tailored and customer oriented financial services.
Relevance
FIDA is still at the early stages of the EU legislative process and is subject to change. However, financial service providers subject to the proposal should keep a keen eye on developments in the EU, as compliance with FIDA is likely to require significant resources.
Key Obligations
Financial service providers must grant access to customer data to other financial service providers and entities deemed as Financial Information Services Providers (FISPs), which is a newly introduced category of entities subject to the proposal. In short, FISPs collect customer data, with the customers consent, in order to reuse the data and provide financial information services. Operating as a FISP will require a license and FISPs will be subject to audit from national competent authorities. Holders and users of financial data need to join a “Financial Data Sharing Scheme”, which are frameworks intended to govern the sharing of data in compliance with FIDA and other applicable EU legislation, e.g. the GDPR.
European Health Data Space
Proposal for a Regulation on the European Health Data Space (COM) (2022) 197)
Status
- EU: European Parliament and the Council are still discussing. Close to adoption. Latest event: 24 April 2024.
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending
Scope
The European Health Data Space (EHDS) primarily targets manufacturers and suppliers of EHR systems and wellness applications, and other controllers and processors of health data. The proposal seeks to empower individuals with greater control over their electronic health data and facilitate its use by researchers, innovators, and policymakers.
Relevance
The Regulation will allow Norwegian patients to benefit from improved cross-border healthcare services, as the EHDS facilitates easier access and transfer of health data across the EU/EEA. Norwegian researchers and innovators in the health sector could gain access to a broader pool of health data, fostering collaboration and accelerating developments in medical research and digital health solutions.
The proposed Regulation is likely to require amendments to Norwegian health legislation, such as Pasientjournalloven and Helseregisterloven.
Key Obligations
The proposal entails a right for individuals to access their own health data and enable them to share own health data with medical personnel across the EEA. The Regulation further establishes a common European format for patient journal and other medical documentation, which healthcare providers will have to adhere to.
The EHDS sets out conditions under which health data can be used for purposes beyond direct healthcare, such as research, innovation, public health, and policy-making. Entities wishing to access health data for these secondary purposes must comply with strict governance and privacy standards, ensuring data use is ethical and secure.
The negotiated compromise between the EU bodies include a right for patients to opt out of secondary use of their health data, except for public interest purposes, policy making, statistics and research purposes in the public interest.
Artificial Intelligence
Delve into the laws and guidelines that are shaping AI development, ethical standards, and application in the EEA.
Artificial Intelligence Act
Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence
Status
- EU: In force from 1 August 2024
- EEA: Pending
- Norway: Pending
Scope
The EU AI Act aims to regulate the use of artificial intelligence across the EEA. It is designed to ensure AI systems are safe, transparent, and accountable. The Act classifies AI applications into risk categories (unacceptable risk, high risk, general-purpose AI models with systemic/non-systemic risk) and sets out specific requirements and standards for each category.
The AI Act imposes the most stringent regulatory burden on natural or legal persons developing and placing AI Systems on the market, but also targets importers, distributors and users using an AI system under their authority (deployers).
High-risk AI systems encompasses systems which may be used for various purposes in different sectors, such as safety components in critical infrastructure, HR (recruitment and decision-making) and education.
Relevance
The AI Act is the first comprehensive law on AI by a major regulator anywhere. Norwegian businesses operating in or entering the EU market will need extensive knowledge of its requirements (when finalized), particularly around high-risk applications and general-purpose AI systems, to capitalize on innovation opportunities while adhering to regulatory expectations. Needless to say, the AI Act’s provision for imposing fines up to €35 million or 7% of global turnover (depending on severity and type of breach) for non-compliance highlights the EU’s serious commitment to ensuring AI is used and manufactured responsibly.
Key Obligations
AI-systems with unacceptable risk are prohibited (such as systems deploying sublimal or manipulative techniques to affect a person’s behaviour or decisions, and systems using real-time remote biometric identification in publicly accessible spaces).
For high-risk AI systems, providers are i.e. obliged to implement a risk management system, ensure quality of training data, and provide information enabling deployers to interpret the system’s output and use it appropriately. The system design must allow for human oversight, and achieve an appropriate level of accuracy, robustness and cybersecurity.
Deployers of high-risk AI systems must implement measures to ensure and monitor that the systems are used in compliance with its instructions, ensure human oversight by competent personnel, ensure that input data is relevant and sufficiently representative and, depending on the intended use, provide information to affected users and conduct an impact assessment.
General Purpose AI Systems (systems with capability to serve a variety of purposes, such as OpenAI) will be subject to mandatory transparency requirements, technical documentation, compliance with copyright laws, and detailed summaries of training data content. High-impact general-purpose AI models will face additional obligations, including risk assessments and reporting on incidents and energy efficiency.
AI Liability Directive
Proposal for a Directive adapting non-contractual civil liability rules to AI (COM(2022)496)
Status
- EU: Commission proposal of 28 September 2022
- EEA: Pending
- Norway: Pending
Scope
The proposed Directive seeks to regulate civil law claims based on damages caused by an AI system under fault-based liability regimes (negligent acts or omissions).
It is primarily providers of AI systems that may be subject to liability under the act, but also distributors, importers, users or other third-parties who place on the market or put into service a high-risk AI system, modify the intended purpose of a high-risk AI system already placed on the market or put into service or make a substantial modification to a high-risk AI system.
Relevance
The proposal responds to challenges identified in existing liability frameworks that struggle to accommodate claims for damages caused by AI, due to the technology’s complexity, autonomy, and opacity. This situation potentially leaves victims unable to pursue compensation effectively, facing high upfront costs and prolonged legal proceedings.
Implementation in Norway will potentially require amendments of the Norwegian Dispute Act, i.e. due to the introduction of special rules on the burden of proof and presentation of evidence.
Key Obligations
The proposal will empower courts to order the disclosure of evidence related to specific high-risk AI systems suspected of causing damage, aiming to assist claimants in gathering necessary evidence for their claims.
The proposal further introduces rebuttable presumptions to assist claimants in proving their cases, especially concerning the causal link between an AI system’s output (or lack thereof) and incurred damages. For high-risk AI systems, if a defendant is shown to have breached specific obligations under the AI Act or failed to comply with evidence disclosure orders, courts may presume their fault contributed to the harm.
Obligations and presumptions vary based on whether the AI system in question is classified as high-risk. For non-high-risk AI systems, courts will apply a presumption of causality only if proving such a link would be excessively difficult for the claimant. Where AI systems are used in personal, non-professional capacities, the proposal limits the application of causality presumptions, applying them only if the non-professional user significantly interfered with the AI system’s operation.
Consumer Protection
Ensure that your T&Cs are drafted in accordance with mandatory consumer legislation in the EEA
Amendment of the Alternative Dispute Resolution (ADR)
Directive and repeal of the online dispute resolution (ODR) Regulation (COM(2023)649)
Status
- EU: Commission Proposal published on 17 October 2023
- EEA: Marked as EEA relevant
- Norway: A public consultation was initiated by the Ministry of Children and Families 31 January 2024, with deadline set at 2 April 2024
Scope
The European legislation on out-of-court consumer redress (the ADR Directive and the ODR Regulation) was adopted in 2013. The ADR Directive establishes a general framework for consumer redress, obliging Member States to ensure that consumers can submit their disputes to ADR entities, and can resolve disputes fairly, quickly and affordably. The ODR Regulation was adopted for the purpose of establishing the European Online Dispute Resolution Platform (the ODR Platform) where consumers and traders could refer their disputes over online purchases to ADR entities.
On 17 October 2023, the Commission adopted a proposal to review the ADR framework by means of:
- A legislative proposal amending the current ADR Directive
- A legislative proposal to repeal the ODR Regulation.
- a recommendation addressed to online marketplaces and EU trade associations having a dispute resolution mechanism and to Member States.
Relevance
The proposal to amend the ADR Directive aims to make the ADR framework fit to the digital markets by covering all categories of disputes concerning EU consumer rights, improve the access to ADR in cross-border disputes and simplify ADR procedures to all actors. The purpose of the repeal of the ODR regulation is to replace it by user-friendly digital tools to assist consumers in finding a redress tool to resolve their dispute.
The proposal to repeal the ODR Regulation and amend the ADR directive will require amendments to the Norwegian Lov om godkjenning av klageorganer for forbrukersaker (godkjenningsloven) and Forskrift om klageorganer I forbrukersaker.
Key Obligations
The proposal to repeal the ODR Regulation removes the obligation on online businesses to provide a link to the ODR platform and manage and email for communication.
The proposal to amend the ADR directive includes an extension of the scope of the ADR Directive to all infringement of EU law with consumer protection dimension e.l. related to discriminatory practice, issues related to switching of service providers, emission of pre-contractual information, and remedies related to the right of repair. Third-country traders can voluntarily participate in ADR procedures. It is also voluntary for EU traders to participate in the ADR unless required through EU or national legislation. However, traders will have to reply within 20 working days as to whether they intend to participate in the ADR or not.
Member States will designate a European Consumer Centre, consumer organization or another body as ADR contact points to facilitate communication between the parties, assist with the process, provide the parties and ADR entities with general information on EU consumer rights and on the procedural rules applied by the ADR entities identified or inform of other means of redress when a dispute cannot be resolved through an ADR procedure.
Consumer Sales and Guarantees
Directive (EU) 2019/771 on certain aspects concerning contracts for the sale of goods
Status
- EU: Date of application was 1 January 2022
- EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
- Norway: Implemented by amendments to the Norwegian Consumer Sales Act, with effect from 1 January 2024
Scope
The Directive and Norwegian implementation imposes mandatory requirements to consumer agreements regarding the sale of goods, with some exceptions.
Services falling under the scope of the Digital Content Directive are not covered, unless where digital services are incorporated into goods (such as smartphones and other products with software).
Relevance
The implementation of the Directive is of significant relevance to both consumers and businesses in Norway. As a total harmonization Directive, it represents a shift from its predecessor from 1999, which allowed for national laws to provide stronger consumer protection than the Directive. The amended Consumer Sales Act may necessitate changes to existing business practices, particularly in terms of standard contract terms, product conformity, and consumer remedies. Businesses will need to review and potentially revise their contracts and terms of service to ensure they are in line with the new regulations.
Key Obligations
The Consumer Sales Directive, which is currently implemented in the Norwegian Consumer Sales Act, has undergone new changes to strengthen consumer protection. The changes include clarifications on subjective and objective requirements to the contract, an expansion of the seller’s burden of proof, and the seller’s right to recourse against previous parties in the supply chain.
Some key changes to the Norwegian Consumer Sales Act include i) regulations governing situations where assets are purchased together with digital services; ii) requirements that consumers must be made “specifically aware” of any exceptions from the act’s quality requirements and “expressly and specifically” accepts them; iii) removal of the possibility for “sold as is”-reservations; iv) the possibility to claim damages for non-economic loss; and v) the possibility to terminate for breach also for the part of the sold goods that is not related to a breach of contract where the consumer cannot reasonably be expected to retain such parts.
Digital Content Directive
Directive (EU) 2019/770 on certain aspects concerning contracts for the supply of digital content and digital services
Status
- EU: Date of application was 1 January 2022
- EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
- Norway: Implemented in the Act of June 17, 2022, No. 56 on the provision of digital services to consumers (the Norwegian Act on Digital Services)
Scope
The DCD and Norwegian implementation apply to contracts where traders supply digital content or digital services to consumers. Digital content includes data produced and supplied in digital form, such as music, videos, apps, games, and e-books. Digital services encompass services that allow the consumer to create, process, store, or access data in digital form, or services that allow the sharing of data or any other interaction with data in digital form provided by the consumer.
The Directive covers both paid-for digital content or services and those provided in exchange for personal data, except where the personal data is exclusively processed for the purpose of supplying the digital content or service or for compliance with legal requirements.
Relevance
Prior to implementing the DCD in Norway, the provision of digital services to consumers was largely determined based on unwritten contractual law principles and by analogy from statutory rules. With the DCD, consumer rights and enhanced, while the ability of economic operators to create their own standard terms is limited. By imposing transparency requirements and limiting the right to amend services, increase fee and operate with long agreement terms, the DCD protect consumers from potentially unfair practices and to ensure a higher degree of transparency and fairness in the digital market. It also seeks to harmonize digital contract law across the EEA, reducing uncertainty and creating a more predictable legal environment for both consumers and businesses.
Key Obligations
The DCD and Norwegian implementation impose mandatory requirements to consumer contract and quality standards.
With respect to quality of digital content and services, the Norwegian implementation requires suitability for purpose, regular updates, conformity with the consumer’s reasonable expectations, and compliance with legal requirements at the time the contract was entered. It is noteworthy that the act does not impose any availability requirements (such as service level commitments). For any deviations from the quality standards, the consumer must be made “specifically aware” of these and “expressly and specifically” accepts them.
Defects and delays are made subject to remedies common from Norwegian law (rectification, price reduction, termination for breach and damages for economic loss). “Sole remedy” and limitation of liability-clauses typically seen in digital services standard terms may thus be unlawful.
The Norwegian implementation further limits the right to amend fees or services. The providers’ ability to amend services beyond what is necessary to comply with the agreement and quality standards presupposes i) a legal basis in the agreement; ii) no extra charge for the consumer; and iii) informing the consumer in a clear manner. The consumer is also given the right to terminate for breach if changes affect the service in a “non-insignificant” manner. The consumer may also cancel the agreement upon price changes beyond “what the change in the consumer price index would suggest”.
Finally, the maximum agreement term is set to six months, but exceptionally up to 12 months in “special cases”. In addition, if a consumer has agreed to periodic payments for an ongoing service and fails to make a payment within a 6-month period after the payment is due, the contract is considered terminated.
Empowering consumers for the green transition
Directive (EU) 2024/825 amending Directives 2005/29/EC and 2011/83/EU as regards empowering consumers for the green transition through better protection against unfair practices and through better information
Status
- EU: Adopted on 28 February 2024. Deadline for implementation is 27 September 2026
- EEA: Considering relevance
- Norway: Pending. Implementation will likely result in an amendment of the Norwegian Cancellation Act, the Marketing Control Act, the Agreements Act, and the Norwegian Regulation on unfair commercial practices
Scope
The Directive amends Directive 2005/29/EC on unfair business-to-consumer commercial practices (Unfair Commercial Practices Directive) and Directive 2011/83/EU on other consumer rights.
Relevance
The Directive is meant to promote the green transition and sustainability, and must be considered in conjunction with the proposal for a Green Claims Directive (COM(2023) 166). Implementation in Norway will likely result in an amendment of the Norwegian Cancellation Act, the Marketing Control Act, the Agreements Act, and the Norwegian Regulation on unfair commercial practices.
Key Obligations
The obligations are intended to ensure better information about sustainability and stronger protection against commercial practices that undermine sustainable consumption, such as deceptive environmental marketing (‘greenwashing’), premature product obsolescence, and unreliable and vague sustainability labelling. Additionally, producers must inform about the product’s durability on certain conditions. Producers must also inform consumers of how easily repairable the product is.
More specifically, the amendments to the Unfair Commercial Practices Directive concern the following: amendments to Article 6 and 7 concerning misleading marketing based on a case-by-case assessment, and an amendment to Annex I concerning practices that are considered to be unfair at all times (the so-called “blacklist”).
Enforcement and Modernisation Directive
Directive (EU) 2019/2161 on better enforcement and modernisation of EU consumer protection rules
Status
- EU: Date of application was 28 May 2022
- EEA: Incorporated in the EEA agreement. Compliance date and entry into force is 1 April 2024
- Norway: Implemented with effect from 1 October 2023
Scope
The Directive amends existing rules on unfair terms in consumer contracts (Directive 93/13/EEC), consumer protection in the indication of the prices of products offered to consumers (Directive 98/6/EC), unfair business-to-consumer commercial practices (Directive 2005/29/EC), and other consumer rights (Directive 2011/83/EU).
Relevance
The changes aim to make consumer protection rules more robust and adaptable in a digital world. There are now more formal requirements when consumers “pay” with personal data. Additionally, the new rules concerning digital marketplaces will require a closer examination of how the Directive affects individual businesses and service providers. For Norway, the Directive is implemented through amendments to the Marketing Act, Right of Withdrawal Act, Contract Act, E-commerce Act, Consumer Sales Act, Digital Services Act, and more.
Key Obligations
The Directive aims to further strengthen consumer protection, and we will outline some of the changes. Firstly, the rules regarding penalties for violations of consumer rights will be enhanced. Responsible supervisory authorities will be able to impose fines, among other measures. Secondly, it will be prohibited to not clearly label promoted search results, in which a business has paid to appear at the top of a search result. This applies to search engines, digital marketplaces, and price comparison services, among others. The Directive on unfair business-to-consumer commercial practices and the Directive on other consumer rights (which includes the right of withdrawal) will include rules on information requirements for digital marketplaces. The term “digital marketplace” has a technology-neutral definition.
The rules in the Directive on other consumer rights, which include the right of withdrawal, will also apply to digital services where the consumer “pays” with personal data. Furthermore, new requirements for marketing price reductions will be introduced, requiring the lowest previous price in the last 30 days to be disclosed.
European Accessibility Act
Directive (EU) 2019/882 on the accessibility requirements for products and services
Status
- EU: Date of application is 28 June 2025
- EEA: Considering relevance
- Norway: Pending
Scope
The Directive imposes obligations on manufacturers, importers, distributors and suppliers of general consumer hardware systems and their associated operating systems, certain self-service terminals, banking services, electronic communication services, services providing access to audiovisual media services, e-commerce services, and e-books with accompanying software.
Relevance
The Directive will impact the value chain of the aforementioned goods and services, which includes a wide range of stakeholders. These include manufacturers and providers of e-communication services, e-commerce, and audiovisual media services. We can assist in assessing how the Directive will affect your business.
The Norwegian implementation is expected to be done through the Act relating to equality and a prohibition against discrimination, or a new act or regulation.
Key Obligations
Products and services in scope must meet the accessibility requirements outlined in an annex to the Directive, which include aspects such as packaging labelling, functionality, and support services. However, these are only overarching requirements, and it is the responsibility of member states to define the specific technical requirements.
More specifically, the Directive will impact providers of websites and applications by having to enable audio assisted interfaces for visually impaired users, and physical products must avoid modes of operation requiring extensive reach and great strength. Additional requirements apply for specific services such as consumer banking and e-commerce services, which i.e. are required to provide consumers with perceivable, operable, understandable and robust identification methods and electronic signatures.
Green Claims Directive
Proposal for a Directive on substantiation and communication of explicit environmental claims (COM(2023) 166)
Status
- EU: Commission Proposal published on 22 March 2023. European Parliament and Council are discussing. European Parliament has adopted its first reading position on 12 March 2024. The new Parliament will have to follow up after the European elections taking place from 6 – 9 June 2024
- EEA: Pending
- Norway: Pending. There are already signs of positive signals from Norwegian legislators in favor of the proposal. Implementation will likely result in an amendment of the Norwegian Marketing Act and the Norwegian Consumer Labelling Act.
Scope
The Proposal aims to regulate claims and labels which explicitly or implicitly gives the impression that a product or a business has a positive, less negative or no impact on the environment. It also aims to regulate claims and labels related to improvements of the product or business over time, in terms of environmental impact.
The initiative complements Directive 2024/825 which amends the Unfair Commercial Practices Directive (2005/29/EC), which is meant to empower consumers for the green transition.
Relevance
The Proposal will impose further regulations on traders offering their products and business to consumers. Traders should adopt a life-cycle perspective on the goods and services offered to consumers, and not only assess whether or not the production method is environmentally friendly. The proposal should be seen in connection with the Unfair Commercial Practices Directive.
Implementation in Norway will likely result in an amendment to the Norwegian Marketing Act or through the adoption of new national legislation.
Key Obligations
The Proposal sets out obligations on traders to properly substantiate environmental claims. Traders must be able to verify assessments behind claims and labels before the product or business is presented to the consumers. This entails a so-called “ex-ante assessment”, which is a novelty compared to the current regulations found in the Unfair Commercial Practices Directive.
As per the Unfair Commercial Practices Directive, it is up to the member states’ consumer protection authorities to prove that environmental claims are false – partially or wholly. This burden of proof will, according to the proposal, be shifted to the traders using such claims to advertise their products or business. Further, the proposal states that an independent third party will have to verify the documentation and communication of environmental claims before such claims can be directed towards the consumers.
New Product Liability Directive
Proposal for a revised product liability Directive (COM (2022)495)
Status
- EU: European Parliament and the Council are still discussing. Close to adoption. Latest event: 12 March 2024.
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending
Scope
The proposed Directive applies to economic operators, such as manufacturers, importers and distributors, of “products”. Providers of online platforms that allow consumers to conclude contracts with traders, are also subject to the Directive.
The proposed Directive extends the scope of potentially liable entities by defining software, digital manufacturing files and certain digital services as “products” in the meaning of the Directive. Therefore, the proposal will be of relevance for technology companies offering digital products.
The scope of the proposed Directive does not extend to the source code itself and non-commercial open source-software.
Relevance
The proposal is set to replace the current Directive on product liability. Its overarching goal is to bring the EU product liability regime up to speed with the digital age, circular economy and global value chains. While the proposed Directive has many similarities with the current Directive, it introduces important changes for the technology sector by introducing new provisions that clarifies the scope of product liability for digital products (software etc.).
Key Obligations
Entities covered by the proposed Directive are subject to a strict liability (liability regardless of fault) for damages caused by defective products, including defective software and digital manufacturing files. Liability arises when an injured person proves that the product was defective, he/she has suffered damages, and there is a casual link between the damage and the product’s defectiveness.
According to the proposal, product defectiveness may extend to the lack of software updates under the manufacturer’s control as well as the failure to address cybersecurity vulnerabilities.
The proposed Directive extends the nature of damages to loss and corruption of data that is not used exclusively for professional purposes. Hence, its implementation may affect limitations of liability for the customers loss of data in B2C-contracts.
Furthermore, the proposed Directive introduces new rules on evidence, which alleviate the burden of proof for example when the claimant meets excessive difficulty in proving defectiveness or a casual link because of the scientific or technical complexity of the product (e.g. AI-systems).
Representative Actions Directive
Directive (EU) 2020/1828 on on representative actions for the protection of the collective interests of consumers
Status
- EU: Date of application was 25 June 2023
- EEA: Considering relevance
- Norway: Pending
Scope
The Directive providers remedies for national administrative authorities and courts to address harmful practices against consumers.
Relevance
The Directive should be considered in conjunction with the Norwegian Digital Services Act. If the directive is incorporated into the EEA Agreement, the Consumer Authority will gain the authority to make decisions regarding remedies for consumers. Courts in Norway already have the authority to make the aforementioned decisions.
Implementation in Norway will likely result in an amendment of the Norwegian Regulation on Consumer’s Collective Interests
Key Obligations
The Directive modernizes and replaces Directive 2009/22/EC. Courts and administrative authorities should be able to adopt decisions declaring the actions of a business to be unlawful, and thus must be stopped. Additionally, they should have the authority to adopt decisions regarding remedies for the consumer, including rectification, price reduction, termination, and compensation.
Right to repair
Directive (EU) 2024/1799 on common rules promoting the repair of goods
Status
- EU: Date of application is 31 July 2026
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending.
Scope
Manufacturers have an obligation to repair products to the extent reparability requirements are provided for by Union legal acts. The Commission may also wide the scope of products in implementing acts. The Directive imposes obligations on manufacturers, and by extension importers and distributors, and independent repair service providers. The Directive applies both within and outside a legal guarantee given by the seller.
Relevance
The Directive imposes further obligations on manufacturers to repair goods and will encourage sustainable choices for consumers. Implementation in Norway is expected to be done through amendment of the Consumer Sales Act.
Key Obligations
The Directive is meant to promote a circular economy by making it more attractive for consumers to repair products instead of buying new products. Manufacturers will have an obligation to repair, either for free or for a reasonable price. Furthermore, manufacturers must inform consumers about their obligation to repair and provide information on the repair services in an easily accessible, clear and comprehensible manner. Manufacturers must also make spare parts available to repair service providers, and cannot prevent service providers to use 3D-printed or second-hand spare parts. The seller’s guarantee period will be extended with 12 months after a repair, when the defect falls under the seller’s liability period.
Additionally, the Directive includes certain safeguards for consumers when engaging with repair service providers. Lastly, the Directive establishes a European online platform which will enable consumers to find repair service providers.
Cybersecurity
Unveil the policies and regulations aimed at protecting information systems, data and critical systems in the digital age.
Critical Entities Resilience Directive
Directive (EU) 2022/2557 on the resilience of critical entities
Status
- EU: Date of application is 18 October 2024
- EEA: Pending
- Norway: Pending
Scope
The Resilience of Critical Entities Directive (CER) applies to critical entities identified by member states within the sectors energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, public administration, space and production, processing and distribution of food.
The Directive aims to harmonize cyber resilience requirements in the EEA by ensuring that risks are more comprehensively accounted for. This includes addressing the dynamic threat landscape, such as hybrid and terrorist threats, and the physical risks from natural disasters and climate change.
While the CER-directive to some extent overlaps with the NIS2 Directive, the former focuses on the broader concept of resilience across critical entities, including physical security, risk management, and recovery from a wide range of threats. The CER-directive does not apply to matters covered by NIS2 Directive (i.e. cybersecurity matters).
Relevance
The CER-Directive is expected to strengthen the risk awareness and contingency planning of critical entities in the EEA, i.e. by shifting attention from infrastructure and individual objects to services and deliveries as opposed to its predecessor, the EPCIC directive (2008/114/EC). The EPCIC directive is currently implemented in the Norwegian Civil Protection Act chapter VI A, but, the CER Directive will likely be implemented in another act, and relationship to the Norwegian Security Act (with a partially overlapping scope) must be further examined.
Key Obligations
Member States must identify critical entities by 17 July 2026, based on their provision of essential services and the significant impact that any disruption could have. These entities must be notified of their status and obligations.
Critical entities are required to conduct risk assessments and implement appropriate and proportionate measures to ensure their resilience. This includes measures to prevent, protect against, respond to, resist, mitigate, absorb, accommodate, and recover from incidents. Entities in scope will be required to demonstrate adequate employee security management, access rights, procedures for background checks and ensure adequate awareness training of its personnel.
Member states must define a regime for conducting background checks for personnel with sensitive roles or access to critical premises and systems, including criminal records. For Norway, this will likely require a supplementary legal basis for obtaining a police certificate of conduct.
Entities must notify competent authorities of incidents that significantly disrupt the provision of essential services within 24 hours, followed by a detailed report no later than one month thereafter.
Cybersecurity Regulation
Regulation (2019/881) on ENISA and on ICT Cybersecurity certification
Status
- EU: Date of application 27 June 2019
- EEA: Deadline for implementation was 1 April 2024
- Norway: The Regulation will be implemented as an administrative regulation to the Norwegian Digital Security Act
Scope
The regulation primarily imposes obligations on the respective EEA Member States, requiring them to adopt a national strategy on the security of network and information systems. While it does not directly mandate requirements for individual enterprises and public bodies, it requires member states to set national frameworks that enterprises must follow (and benefit from).
The regulation also sets out the role of ENISA (the European Union Agency for Cybersecurity) in facilitating a coordinated response to large-scale cybersecurity incidents and attacks across the EU.
A significant component of the regulation is the establishment of a European framework for ICT cybersecurity certification, providing a harmonized set of standards for ICT products, services, and processes.
Relevance
The introduction of a European cybersecurity certification framework under this Regulation marks a significant step towards harmonizing the cybersecurity certification processes across the EU, potentially influencing global cybersecurity practices.
For Norway, the certification framework will expand the scope of certification reflected in todays’ SERTIT scheme to include services and processes. Effective implementation will require additional resources for the national cybersecurity certification authority to handle complaints, declarations, and oversight of certification bodies. The inclusion of commercial certification bodies may increase costs for Norwegian companies that previously relied on the free certification services of SERTIT.
Key Obligations
The regulation sets out the tasks of ENISA, including in light of policy development and legislation, enhancing cybersecurity capabilities in the EU, ensuring cooperation between member states, developing cybersecurity standards and certifications. ENISA shall also act as an EU hub for network and information security, promoting best practices and initiatives across the EU, provide guidance and best practices for the security of critical infrastructure and digital service providers and create reports after significant incidents to guide organizations and citizens.
The regulation further introduces a comprehensive framework for the cybersecurity certification of ICT products, services, and processes, to be proposed by ENISA and adopted by the European Commission through implementing acts. Initially, the certification is voluntary, but the European Commission will periodically review the effectiveness and uptake of certification schemes. It may propose mandatory implementation in specific sectors covered by the NIS 2 Directive if needed.
Cyber Resilience Act
Proposal for a regulation on horizontal cybersecurity requirements for products with digital elements (COM(2022) 454
Status
- EU: European Parliament and the Council are still discussing. Close to adoption. Latest event: 12 March 2024.
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending
Scope
The proposal aims to enhance the functioning of the internal market by introducing EU-wide cybersecurity requirements for design, development, production and making available on the market of hardware and software products.
The Regulation will apply to all products that are connected, indirectly or directly to another device or to a network. There are some exceptions for products for which cybersecurity requirements are already set out in existing rules, such as medical devices, aeronautical products and cars.
In addition to crucial cybersecurity requirements, the Regulation will impose obligations on economic operators and introduce provisions for conformity assessment, notification to conformity assessment bodies, and market surveillance.
Relevance
The objective of the proposal is to address deficiencies, clarify connections, and enhance the overall coherence of existing cybersecurity legislation. This includes ensuring the security of products with digital components, such as ‘Internet of Things’ (IoT) products, across the entire supply chain and throughout their lifespan which will affect the businesses of both manufacturers, importers and distributors.
Key Obligations
The main obligations from the Commission proposal are:
- Rules to rebalance responsibility for compliance towards manufacturers, imposing obligations such as providing cybersecurity risk assessments, issuing declarations of conformity and cooperation with authorities.
- Vulnerability handling processes for manufacturers to manage vulnerabilities and ensure cybersecurity in digital products, along with responsibilities for economic operators such as importers or distributors in relation to those processes.
- Steps to enhance transparency regarding the security of hardware and software products for both consumers and business users.
- Establishment of a market surveillance framework to enforce compliance with the Regulations.
Cyber Solidarity Act
Proposal for a regulation laying down measures to detect, prepare for and respond to cybersecurity threats and incidents (COM(2023) 209)
Status
- EU: European Parliament and the Council are still discussing. Close to adoption. Latest event: 24 April 2024.
- EEA: Pending
- Norway: Pending
Scope
The EU Cyber Solidarity Act aims to enhance cooperation at the Union level for better detection, preparation, and response to significant or large-scale cybersecurity incidents. This involves establishing a European Cybersecurity Shield and a comprehensive Cyber Emergency Mechanism.
Relevance
The initiative will likely not be incorporated into the EEA agreement once adopted. However, there is a chance that Norway might participate the European Cybersecurity Shield and Cyber Emergency Mechanism through a bi-lateral agreement with the EU.
Key Obligations
To swiftly and effectively identify major cyber threats, the Commission proposes setting up a European Cyber Shield. This will be a pan-European infrastructure comprising national and cross-border Security Operations Centres (SOCs) across the EU. These SOCs will use cutting-edge technologies like artificial intelligence (AI) and advanced data analytics to detect and share timely warnings on cyber threats and incidents across borders. This approach allows authorities and relevant entities to respond more efficiently and effectively to major incidents.
The goal is to have these centres operational by early 2024. In preparation for the European Cyber Shield, the Commission, under the Digital Europe Programme, selected three consortia of cross-border Security Operations Centres (SOC) in April 2023. These consortia bring together public bodies from 17 Member States and Iceland.
Additionally, the EU Cyber Solidarity Act introduces a Cyber Emergency Mechanism to boost preparedness and enhance incident response capabilities in the EU.
Digital Operational Resilience Act
Regulation 2022/2554 on digital operational resilience for the financial sector
Status
- EU: Date of application is 17 January 2025
- EEA: Considering relevance
- Norway: Public consultation initiated on 23 January 2024
Scope
The Digital Operational Resilience Act (DORA) specifically targets enhancing cybersecurity within the financial sector. It encompasses a wide range of financial entities in the EU, including banks, investment firms, and payment service providers. The proposal also introduces a supervisory framework for ICT providers, such as cloud service providers.
Relevance
DORA is highly relevant in addressing the increasing cybersecurity threats faced by the financial sector, given its critical role in the economy and society at large. By imposing stringent cybersecurity measures and promoting proactive risk management practices, DORA aims to enhance the resilience of financial institutions, safeguard customer data, and maintain trust in the stability of the financial system.
Based on the public consultation initiated on 23 January 2024 in Norway, the Regulation is to be implemented by a new act on digital operational resilience for the financial sector, and amendments to several acts and Regulations in the finance sector.
Key Obligations
DORA mandates financial institutions to establish robust cybersecurity frameworks to protect their operations and sensitive data from cyber threats. This includes implementing measures such as risk assessments, ICT policies, adequate security controls and a operational resilience testing program as an integral part of the ICT-risk management framework.
Financial entities are required to establish an incident management process to detect, manage and notify ICT-related incident. In addition, record all ICT-related incidents and significant cyber threats. Furthermore, the entities must report cybersecurity incidents to relevant authorities, enabling swift response and mitigation efforts. Timely reporting helps to minimize the impact of cyberattacks and enhances overall sector resilience.
The Regulation provides comprehensive rules on third party risk management. Except for micro-enterprises, all enterprises are required to have a vendor risk strategy that meets specific criteria, maintain a registry of ICT services used, and annually report new contracts and planned ICT service agreements for critical functions to the supervisory authority. Before entering into an agreement with an ICT provider, an enterprise must conduct evaluations and ensure the provider adheres to appropriate information security standards.
NIS 2 Directive
Directive 2022/2555 on measures for a high common level of cybersecurity
Status
- EU: Date of application is 18 October 2024
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending.
Scope
Operators of essential and important services within several sectors such as energy, transport, wastewater, food, research, IT (managed service providers and managed security service providers), public administration and postal and courier services. The margin of maneuver for member states in identifying entities subject to the directive is reduced compared with the NIS 1 Directive.
Micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are as a starting point not subject to the Directive. Such enterprises may still be encompassed, e.g. if they are considered to have a key role in society, the economy or a certain sector (e.g., sole supplier to an EU country, or entities operating a particularly vulnerable business).
The distinction between essential and important services is only relevant for the supervisory regime (ex-ante supervision for essential services, and ex-post supervision for important services).
Relevance
NIS 2 not only addresses the challenges and limitations of NIS 1 but also introduces enhanced measures to ensure a unified and robust cybersecurity framework across Europe.
Implementation in Norway will likely be done through amendments to the Digital Security Act.
Key Obligations
Like under the NIS 1 Directive, entities in scope are required to conduct a risk assessment and implement security measures appropriate to the risk. However, the NIS 2 Directive imposes a broad range of minimum measures, including: i) business continuity; ii) supply chain security; iii) policies and procedures to assess the effectiveness of cybersecurity risk-management measures; basic cyber hygiene practices and training; iv) policies and procedures regarding use of cryptography; and v) human resources security.
The Directive further enhances the notification regime for cybersecurity incidents, through a three-step model where an early warning and initial information must be provided within 24 hours, an initial assessment of the incident within 72 hours, and a detailed report with identified root cause and mitigation measures within one month.
Supervisory authorities are given broad powers to supervise and impose sanctions, e.g. trough on-site inspections, security scans, requests for evidence of implementation of policies, and binding instructions. Further, the regime for regulatory fines is harmonized, meaning the maximum fine must be at least EUR 10 million or 2% of the total global annual turnover of the business, whichever is higher for essential service providers. For important service providers, the maximum fine must be at least EUR 7 million or 1.4% of the total global annual turnover.
Norwegian Digital Security Act
Implementing NIS 1 Directive (2016/1148)
Status
- EU: Date of application was 10 May 2018
- EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 3 February 2023. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision.
- Norway: Adopted Act on Digital Security implementing the Directive on 12 December 2023. Regulation on digital security proposed 11 September 2024.
Scope
The Act applies to operators of essential services within the sectors energy, transport, banking, health, financial market infrastructure, drinking water supply and distribution and digital infrastructure. A proposed regulation to the Act outlines 28 categories of providers of essential societal services which will be subject to the act, and threshold-values. These include, among others, entities subject to the Norwegian power preparedness regulations, air traffic control services, operators of national railway networks, major ports and shipping companies, and large municipal health and care services providers.
Providers of digital cloud computing services, online search engines and online marketplaces, except for micro- and small enterprises (less than 50 employees and annual turnover below 10MEUR) are also in scope.
Relevance
The Digital Security Act is the first cross-sector regulation addressing cybersecurity in Norway, and is likely to have a particularly large impact on businesses that are not already subject to sector-specific digital security requirements. However, having been “tried and tested” in the EU, the Directive faced challenges including varying national implementations, insufficient scope to cover all relevant sectors, and a lack of clarity on certain obligations, leading to fragmentation and inconsistencies.
Recognizing these issues, NIS2 was introduced to provide a more comprehensive and harmonized approach. For Norway, implementing its own digital security act to implement NIS1, transitioning towards NIS2 will necessitate updates to the national act, reinforcing Norway’s commitment to enhancing cybersecurity resilience in line with evolving EU standards.
Read more about the Digital Security Act here.
Key Obligations
Entities subject to the act will be required to conduct a risk assessment of network and information systems used in the provision of the relevant service. Based on the assessment, entities must implement technical and organizational measures to ensure an appropriate level of security.
A proposed regulation to the Act specifies the requirements by requiring entities in scope to establish a security management system, conduct a comprehensive risk assessment, and implement appropriate security measures. These measures include organizational, technological, physical, and personnel security measures, tailored to the entity’s size and complexity. Entities must also have an emergency plan for incident management and notification, and involve subcontractors where relevant. Furthermore, providers of critical societal services must ensure that third parties, typically subcontractors, meet the entity’s security requirements.
The act further imposes a notification obligation to supervisory authorities where a security incident significantly impacts the service delivery. An initial notification must be provided within 24 hours, and include information about the affected service, the event with possible cause and consequence, and affected users. The information should be updated within 72 hours. In addition, providers of critical societal services must submit an incident report to the supervisory authority no later than one month from when the first notification was given.
Supervisory authorities have a right to demand information and access to encompassed entities’ premises and equipment. Breaches may be sanctioned by rectification orders and/or fines, not only directed at the entity level, but also towards individuals acting on behalf of the company.
Intellectual Property
Navigate the most recent legislative initiatives related to IP and secure your creations
Copyright in the Digital Single Market
Directive (EU) 2019/790 on copyright and related rights in the digital single market
Status
- EU: Date of application was 7 June 2021
- EEA: EEA Joint Committee has decided to incorporate the Directive into the EEA-agreement on 8 December 2023. The Committee decision will enter into force once parliaments in EEA/EFTA countries decide to adopt the decision.
- Norway: Pending
Scope
Directive 2019/790 has three main objectives: (i) to adapt certain key exceptions to copyright to the digital and the cross-border environment, (ii) to improve licensing practices and ensure wider access to content, and (iii) to achieve a well-functioning marketplace for copyright.
Relevance
Both Directive 2019/790 and Directive 2019/789 seek to solve copyright challenges in the light of transnational consumption and new technologies. The Norwegian Government has launched a hearing for implementing the Directive in the Norwegian Copyright Act, with a deadline set at 15 March 2024.
Key Takeaways
Directive 2019/790 is meant to further harmonize copyright legislation, as well as closely related rights. The Directive makes it easier to use copyright-protected material for different purposes, mostly related to access to knowledge, by introducing mandatory exceptions to copyright to foster text- and data mining, digital uses of works for the purpose of illustration for teaching, and the preservation of cultural heritage. Furthermore, the Directive aims to enhance protection of press publications for online use, as well as strengthening the rights of license holders.
Copyright on Radio and TV
Directive (EU) 2019/789 laying down rules applicable to certain online transmissions of broadcasting
Status
- EU: Date of application was 7 June 2021
- EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 8 December 2023. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision.
- Norway: Pending
Scope
Directive 2019/789 aims to improve the cross-border availability of television and radio programs in the internal market, by facilitating clearance of copyright and related rights for certain online services of broadcasters and for the retransmission of television and radio programs by means other than cable. The Directive also contains rules for programs transmitted via direct injection.
Relevance
Both Directive 2019/790 and Directive 2019/789 seek to solve copyright challenges in the light of transnational consumption and new technologies. The Norwegian Government has launched a hearing for implementing the Directive in the Norwegian Copyright Act, with a deadline set at 15 March 2024.
Key Takeaways
Directive 2019/789 is meant to increase access to broadcast programs from other Member States. It includes the application of the country of origin-principle for ancillary online services, rules governing the exercise of retransmission rights by rightholders other than broadcasting organisations, and provisions for mediation in cases where agreements cannot be reached. Additionally, it sets rules for the transmission of programs through “direct injection,” and amends the definition of “cable retransmission” in Directive 93/83/EEC. The Regulations in the Directive will have a positive effect on consumers, license holders and distributors.
Design Directive and Community Design Regulation
Revision of the design Directive and the community design Regulation (COM(2022)667 and COM(2022)666)
Status
- EU: European Parliament and the Council are still discussing. Close to adoption. Latest event: 14 March 2024.
- EEA: Pending. The Commission has marked the proposal as EEA-relevant
- Norway: Pending
Scope
The Design Directive and the Community Design Regulation applies to the registration of design rights and community design rights, respectively.
The proposal widens the scope of the Design Directive and Community Design Regulation by broadening the definitions of “design” and “products”. The definition of “design” will now extend to the movement, transition, or any other sort of animation of design features. The definition of “product” will now also include designs not embodied in physical products, objects materializing in digital form (e.g. NFTs), spatial arrangements of items intended to form an interior environment, and graphical user interfaces.
Relevance
The proposal to revise the Design Directive and the Community Design Regulation seeks to align the design protection systems in the EU with the digital age and make it more accessible and efficient for applicants. Of particular interest for the technology sector is the expanded possibility to register digital designs, such as graphic user interfaces.
Key Takeaways
Other main changes of the proposal include:
- Expanding the scope of design protection by including means such as 3D printing technologies
- Introduction of a “repair clause”, in which design protection shall not be conferred to designs that constitute component parts of a complex product, where the appearance of the design is dependant for the sole purpose of the repair of that complex product in order to restore its original appearance
- Revising the registration process, by broadening the means of which applicants can represent their designs, for example by video or 3D printing, and allowing applicants to combine multiple designs in one application.
EU-Wide Compulsory Licensing
Compulsory licensing of patents for crisis management (COM(2023) 224)
Status
- EU: European Parliament and the Council are still discussing, with the last event being on 26 June 2024.
- EEA: Not of EEA-relevance
- Norway: No information available
Scope
The initiative, once adopted, will cover all patents registered in the EU – both national and Unitary patents. In addition, patent applications, utility models and supplementary protection certificates (SPCs) will also be covered. The scope is limited to EU emergencies, such as a pandemic.
Key Takeaways
The proposal seeks to combat the geographical restrictions of national patent law, by granting the Commission the power to issue EU-wide compulsory licenses during an EU emergency. This means that third parties can obtain a license to use a patented invention without consent from the patent owner, when certain conditions are fulfilled. The license will be effective in all EU member states.
Relevance
The Commission made the initiative in the aftermaths from the COVID-19 pandemic, where lack of production capacity to produce COVID-19 vaccines was a major bottleneck for governments when tackling the virus. Patent protection of the vaccine technology also contributed to a limited supply of vaccines.
Although governments can issue compulsory licenses to third parties to increase production capacity, a national compulsory license only has national effects. In the case of cross-border supply, which constitutes the norm within the EU, a third party must seek a license in every country it wishes to produce and sell the medicine, if the invention is patented in the given country. Today, there is no coordination mechanism in place between governments if a single third party has applied for a license concerning the same invention in several countries – creating an administrative and economic barrier for seeking compulsory licenses overall. Thus, the initiative, once adopted, will equip the Commission with the powers to issue compulsory licenses effective in all EU member states through a single application – and thereby removing the trade barriers to a certain extent.
Although the legal act likely will not be incorporated into the EEA agreement once adopted, the initiative is a major stepping stone for the Union when combatting epidemics and pandemics affecting EU member states and the internal market.
New rules on Geographical Indications
Regulation 2023/2411 on the protection of geographical indications for craft and industrial products
Status
- EU: Date of application is 1 December 2025
- EEA: Not of EEA-relevance
- Norway: No information available
Scope
EU-wide protection of geographical indications has traditionally been reserved for wines, spirit drinks and other agricultural products and foodstuffs, i.e. Champagne and Prosciutto di Parma. Starting from 1 December 2025, craft and industrial goods will benefit fully from EU-wide protection of geographical indication (such as Murano-glass and Donegal-Tweed).
The Regulation also has implications for already existing Regulations on protection of geographical indications.
Relevance
The Regulation is deemed as non-relevant for EEA. It is, however, worth having knowledge of this Regulation when handling European trademark matters.
Key Takeaways
This Regulation addresses the need for protection of craft and industrial products. The EU has deemed it necessary to grant protection to these types of products as they are often closely linked with specific geographical areas which again often involve specific methods of productions based on local knowledge that stretches far back in time.
Protection of geographical indications for craft and industrial products will, inter alia, help producers stay competitive in niche markets, provide consumers with better information about the authenticity of products, and boost regional economies.
Standard Essential Patents
Proposal for a regulation on framework for standard-essential patents (COM(2023) 232)
Status
- EU: Commission Proposal published on 27 April 2023. European Parliament adopts negotiating position
- EEA: Not of EEA-relevance
- Norway: No information available
Scope
The legal act will affect patent holders, when the invention is considered to be a standard (SEP), such as 5G-technology or USB. Standards are developed by businesses through standard-setting organizations (SSO). Such technology is essential for many devices or activities in everyday life and are therefore inevitable.
Relevance
Although the initiative is not of EEA-relevance, it is worth having knowledge of the proposal when dealing with SEP’s and FRAND-licensing.
Key Takeaways
The proposal concerns the licensing of SEP’s. In order to use a SEP, third parties will need a license to use the patent. SSOs require SEP-owners to provide licenses on FRAND-terms (fair, reasonable, and non-discriminatory). Today, many disputes arise during negotiations of FRAND-terms, and the system of obtaining a license is non-transparent and unforeseeable.
The Commission Proposal creates a framework for SEP-licensing. SEP-owners must register their standard in a database at EUIPO and will be object to a maximum royalty rate when licensing their technology. In addition, EUIPO will facilitate dispute resolution to determine FRAND-terms. The framework will not aim to standardize the FRAND-terms in advance, as the exact contents of a license should be negotiated between the parties.
Supplementary Protection Certificates (SPC)
Four new regulations on supplementary protection certificates for medicinal products and plant production products
Status
- EU: Commission Proposal published on 27 April 2023
- EEA: Pending. The Commission has marked the proposals as EEA-relevant
- Norway: Pending
Scope
On 27 April 2023, the Commission proposed a comprehensive reform of the SPC regime, including four Regulation proposals. Supplementary protection certificates (SPCs) are intellectual property rights extending the 20-year term of patent protection for medicinal or plant production products by up to five years.
Relevance
The amendments to the Regulation on SPCs for plant and medicinal products are marked as EEA-relevant, but Norwegian authorities have not yet decided on how the changes should be incorporated into Norwegian law. As the EEA states are not part of the unitary patent system, a unitary SPC will not confer rights in the EEA states.
Key Takeaways
The new Regulations from the EU on SPCs aims to simplify the EU’s SPC system as regards to national SPC’s for plant production products and medicinal products, as well improve its transparency and efficiency. This reform will replace the existing SPC Regulations with new ones, for medicinal products and plant protection products respectively. Each will establish a centralized SPC filing and examination procedure that will give rise to a bundle of national SPCs in the designated EU member states. The centralized procedure will be available where the basic patent is a European patent, and the product has market authorisation.
Further, two additional proposals also introduce unitary SPCs both for medicinal products and for plant protection products on the basis of unitary patents. It is the European Union Intellectual Property Office (EUIPO) that will handle both unitary SPC applications as well as centralized SPC applications.
Unitary Patent System
Status
- EU: Effective in 17 participating EU member states
- EEA: Not relevant
- Norway: No information available
Scope
The Unitary Patent system covers all patentable inventions.
Relevance
Although a Unitary Patent will not grant patent protection in EEA countries, Norwegian inventors can register a patent with unitary effects through EPO. A Unitary Patent can be said to be a double-edged sword: Although it limits the administrative burden for patent owners by making it possible to invoke patent infringement for a single court, the patent owner also runs the risk of having his patent revoked through a single decision. In the latter circumstance, the revocation of the patent will be effective in all participating EU member states, whereas a patent without unitary effects would have to be revoked in all individual countries where the patent is registered.
Key Takeaways
On 1 June 2023 the Unitary Patent System was successfully launched. The Unitary Patent is a legal title, granted by the EPO, that provides uniform patent protection across the EU member states that have ratified the Agreement on a Unified Patent Court. The Unified Patent Court offers a common patent jurisdiction (both Unitary Patents and European patents) for the participating member states. A Unitary Patent does not confer patent rights in the EEA/EFTA States.
Platforms and eMarkets
This section breaks down the legislative intiatives governing digital markets and platforms, including legislation designed to promote fair competition, transparency, and accountability in the digital sector.
Digital Markets Act
Regulation 2022/1925 on contestable and fair markets in the digital sector
Status
- EU: Date of application was 2 May 2023
- EEA: Pending. The Commission has marked the Regulation as EEA-relevant
- Norway: Pending
Scope
The Digital Markets Act (“DMA”) requires that the big tech companies, the so called “gatekeepers”, complies with the DMA in the provision of their core platform services. The classification as gatekeeper follows a set of objective criteria:
- Firstly, the service provider needs to have a significant impact on the internal market. The DMA sets a high threshold before the condition of significant impact is presumed to be met (annual turnover in the EU equal to or above EUR 7,5 billion in each of the last three years or a market value of EUR 75 billion in the last year).
- Secondly, the service provider must deliver a core platform service which is an important gateway for business users to reach end users. Again, the threshold is high before the condition is presumed to be met (45 million monthly active end users in the last year and over 10 000 yearly active business users).
- Thirdly, the service provider needs to hold a strong and durable position in the market.
The core platform services covered by the DMA are explicitly specified and include online intermediation services, search engines, social networks, video-sharing services, web browsers and cloud computing services, among others.
Note that the EU Commission is granted the authority to classify service providers as gatekeepers on the basis of a market investigation even if the abovementioned market thresholds are not met.
Relevance
It is expected that classification as a gatekeeper will be reserved for the big tech companies. As of now, the EU Commission has designated Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft as gatekeepers in relation to certain services. While we do not expect many Norwegian companies to be subject to the DMA, a proper understanding of the DMA will be important in order to protect the legal rights of Norwegian companies, either as competitors or customers of the gatekeepers. The DMA is likely to be implemented in Norway through a new act.
Key obligations
In order to ensure open and fair digital markets, the DMA introduces a set of obligations and prohibitions that gatekeepers must comply with.
Gatekeepers must allow business users access to their data and make it easy for consumers to switch platforms or services and ensure that their messaging services are interoperable with those of competitors, facilitating a broader choice for consumers.
Further, to foster a more competitive digital environment, the Regulation restricts gatekeepers from ranking their own products or services higher than those of their competitors on their platforms, and from pre-installing certain software applications and setting their own services as the default. Additionally, gatekeepers are not allowed to force users to sign up for additional services as a condition for using their platform.
The Regulation also imposes a general ban on retaliating against users who take advantage of the rights and options provided by the DMA.
Non-compliance with the DMA may result in significant fines (up to 20% of the gatekeeper’s total worldwide annual turnover) or structural obligations, such as the sale of (parts of) a business.
Digital Services Act
Regulation 2022/2065 on a Single Market For Digital Services
Status
- EU: Date of application was 17 February 2024
- EEA: Pending. The Commission has marked the Regulation as EEA-relevant
- Norway: Pending
Scope
The DSA applies to providers of intermediary services, such as internet access providers, hosting services, domain name registrars, online marketplaces, app stores, social networks, content-sharing platforms and online travel and accommodation platforms.
The DSA classifies these intermediaries into different categories, such as intermediary services, hosting services, online platforms, and very large online platforms (VLOPs), each subject to tailored obligations based on their size, impact, and the risk they pose to society.
Relevance
An important backdrop for the DSA is a desire to regulate today’s situation where platform owners themselves may determine what content should be displayed, and what should be removed. Manipulation of content may pose risks to principles of democracy, e.g. in connection with elections. The DSA further aims to ensure equal market conditions for platform providers, a market dominated by a limited number of actors.
Implementation in Norway is expected to be made through a new act and amendments to the Norwegian E-commerce act.
Key Obligations
Intermediary services will be required to publish transparency reports on their content moderation practices, including the handling of illegal content and the implementation of their terms of service. Platforms must establish mechanisms allowing users to easily report illegal content and take swift action to remove or disable access to such content, while at the same time mandating users’ fundamental rights to freedom of expression and information.
Online marketplaces must ensure the traceability of business users on their platforms to combat the sale of illegal goods, services, or content, and allow for effective internal and external complaints (e.g. with respect to removal of content). Further, users must receive clear information about why they are shown specific advertisements and who is sponsoring them. Manipulative design (such as “dark patterns” that could prevent users from making free and informed decisions) will be prohibited.
VLOPs face additional obligations, such as risk assessments, independent audits, and adherence to codes of conduct. They must also provide data access to researchers, e.g. to understand how online risks evolve. This would in practice entitle researchers to conduct “scraping operations” on platforms for authorized purposes.
EIDAS Regulation
Regulation 2024/1183 amending Regulation 910/2014 as regards establishing the European Digital Identity Framework
Status
- EU: Date of application 8 August 2025
- EEA: Pending
- Norway: Pending
Scope
The eIDAS Regulation (electronic identification and trust services) aims to facilitate secure and seamless electronic transactions and to establish a standardized framework for electronic identification and trust services across the European Union.
Providers of eID (Electronic identification), electronic signature, electronic seal, timestamping services, electronic delivery service certificate and services or website authentications are covered by the rules of the regulation.
The amendments represents a significant expansion of the scope of the regulation; member states are not only required to recognize, but also to provide means of electronic identification, and the scope is extended to cover new types of trust services as well as the implementation of a new digital wallet. This wallet, in addition to serving as a high-level eID solution, can also include certified attributes such as driver’s licenses, diplomas, vaccine passports and more.
Relevance
The regulation ensures mutual recognition of eID and trust services across member states, enabling individuals and businesses to access online services across borders. It promotes trust, security, and interoperability in electronic transactions, fostering the development of a digital single market within the EU. The member states are empowered to establish their own penalties and enforcement mechanisms for non-compliance with its provisions.
Key Obligations
Key take obligations from the regulation are:
- Mutual recognition of electronic identification in the Member states.
- Electronic signatures and seals that comply with eIDAS are legally valid and enforceable.
- Providers of qualified trust services must meet specific requirements and be listed on trusted service lists.
- Trust service providers must ensure security and integrity of their services.
Electronic Communication Code
Directive (EU) 2018/1972 establishing the European Electronic Communication Code
Status
- EU: Date of application was 21 December 2020
- EEA: EEA Joint Committee decided to incorporate the Directive into the EEA-agreement on 24 September 2021. Entry into force once parliaments in EEA/EFTA countries decide to adopt the decision
- Norway: Proposal for new Electronic Communications Act published on 12 April 2024
Scope
The ECD modernizes and consolidates the existing electronic communications Directives from the early 2000’s, implemented in Norway through the Electronic Communications Act. Its main purpose is to stimulate investments in and the rollout of high-speed networks across the EU, strengthen the internal market, and enhance consumer rights. The ECD also broadens the scope of application to cover services on new platforms (such as Messenger, WhatsApp) to ensure a level playing field for operators, and the Norwegian implementation also contain regulations addressed at data centre providers.
The Directive also introduces a universal service obligation for basic broadband service (so that all end-users can access basic broadband services at a reasonable price at a physical address).
The ECD primarily applies to providers of electronic communications networks (physical and virtual infrastructure used to convey signals across points), electronic communications services (services providing connectivity to the internet and services enabling direct interpersonal and interactive exchange of information between a finite number of persons) and associated facilities/services (access to physical infrastructure, databases, software, systems for billing or customer management, and other services necessary for the provision of electronic communications).
Relevance
The ECD addresses the challenges and opportunities arising from the increasing demand for mobile broadband and the need for high-speed internet as a foundation for innovative digital services. For businesses, it offers a clearer regulatory environment that encourages investment in high-speed networks and new technologies like 5G. For consumers, it promises better services, more choices, and enhanced rights.
The ECD will be implemented in Norway through a new Electronic Communications Act, replacing the existing framework which was drafted in a time where only half of the Norwegian population had internet access at home, and where smartphones were practically non-existent. The new act is modernised to support technological developments, a new digital threat landscape and users’ need for access to high-speed internet. The proposal is now formally awaiting approval by the Norwegian parliament.
Key Obligations
The ECD introduces several obligations to safeguard a variety of purposes.
The existing market regulation regime (with the possibility of asymmetrical regulations for providers with significant market power like Telenor in Norway) is maintained, with some adaptions. For instance, significant market players obligation to provide access to competitors is limited where competitors have been offered reasonable opportunities to co-invest in new high-speed networks. It further allows certain obligations to be imposed on owners of parts of the fixed network (e.g., in housing cooperatives), and grants the authority to mandate national roaming in mobile networks in areas where parallel network establishment is economically inefficient or physically impossible.
Member States must manage radio spectrum more effectively and promote efficient use, ensuring long-term investment certainty for operators. This includes coordinating spectrum assignments for wireless broadband and 5G networks, with a minimum license duration of 15 years to stimulate investments.
Consumers are expected to benefit from fully harmonized transparency requirements with respect to contract terms, service quality, prices and the possibility to switch providers with number portability. The Norwegian Electronic Communications code obliges providers to make it easy for users to switch providers without interruption of internet service, allows for more control of consumption and costs, and enhances security and privacy obligations of providers by imposing risk management and measures to protect the security of networks and services.
The consent requirement for cookies and related technologies are enhanced by harmonizing the consent requirements with those set out in the GDPR (freely given, specific and informed). Implicit consent through web browser settings will likely no longer be sufficient in Norway.
The Norwegian legislative proposal include data centre regulations, and require data centre operators to register with authorities prior to commencing their operations, implement adequate security measures and emergency preparedness, and prioritize important societal actors when needed.
Providers are required to ensure that all end-users, regardless of their geographic location, have access to affordable and high-quality electronic communications services, including voice and data services. It is also worth noting that number-independent services (such as Messenger and WhatsApp) will be subject to universal service obligations such as allowing users with disabilities to call the emergency number.
European Media Freedom Act
Regulation (EU) 2024/1083 establishing a common framework for media services in the internal market and amending Directive 2012/13/EU
Status
- EU: Date of application was 11 April 2024
- EEA: Pending
- Norway: Pending
Scope
The European Media Freedom Act aims to safeguard and advance media freedom and pluralism throughout the European Union. It aims to create a media landscape that upholds the principles of freedom of expression, access to information, and democratic values. The act seeks to prevent undue influence, censorship, and restrictions on media outlets, journalists, and their ability to report freely and independently. It also addresses issues related to media ownership, transparency, and accountability.
Relevance
Businesses such as media organizations, advertising and PR Agencies, digital platforms and social media companies and businesses with media partnerships should pay particular attention to the act, due to the more direct impact of the act.
The specific penalties for non-compliance with the European Media Freedom Act may vary depending on the laws and regulations of individual member states.
Key Obligations
Key obligations in the European Media Freedom Act include protecting and promoting media freedom and pluralism, ensuring the independence of media organizations, preventing undue influence or censorship, promoting transparency and accountability in media ownership, and safeguarding journalists’ rights to report freely and independently.
Web Accessibility Directive
Directive 2016/2102 on the accessibility of the websites and mobile applications of public sector bodies
Status
- EU: Effective from 11 October 2018
- EEA: Deadline for implementation was 1 April 2024
- Norway: Incorporated
Scope
The Web Accessibility Directive ensures that websites and mobile applications of public sector bodies are accessible to all individuals, including those with disabilities.
The directive applies to public sector bodies at the national, regional, and local levels, as well as entities that provide services on their behalf.
The directive aims to remove barriers and provide equal access to information and services online, promoting inclusivity and non-discrimination. Accessibility requirements includes such as providing alternative text for images, ensuring proper color contrast, and implementing keyboard navigation options.
Relevance
Public sector bodies and entities that provide services on their behalf, should be aware of the Web Accessibility Directive, as non-compliance may lead to legal consequences for non-compliance, including fines, and reputational damage. The specific legal consequences of non-compliance with the Web Accessibility Directive may vary depending on the laws and regulations of individual member states.
Key Obligations
Key obligations in the Web Accessibility Directive include ensuring compliance with accessibility requirements, providing accessibility statements, monitoring and reporting on accessibility, addressing identified issues, and collaborating with stakeholders to promote equal access to digital services.